@otus This is slightly different, the hash isn't encrypted in this case, and there is not a key concatenated with the data. However, that link is great for reading, thanks!
–
user60561Sep 14 '14 at 19:30

@D.W. Those are all $\text{E}(\text{data}|\text{H}(\text{data}))$, except for 11440, which also has variations on $\text{E}(\text{data})|\text{HMAC}(\text{data})$. I've edited my question to clarify. I will be reading them however, they are very much related to this question.
–
user60561Sep 18 '14 at 2:57

1 Answer
1

Is appending the hash of the plaintext to the end of an encrypted message sufficient to ensure integrity?

Not in the sense of authentication. Such a construction is malleable for many reasonable encryption algorithms. It also leaks the plaintext to anyone who can guess it, since they can calculate $h(P_i)$ for guesses (brute force or dictionary attack) and compare to the hash value.

As for malleability, if the cipher is a stream cipher and the attacker can guess that the message is $A$, then they can turn it to an equally long message $A'$ by calculating a new ciphertext $C' = C \oplus A \oplus A'$ and replacing the old hash with $h(A')$.

CTR, OFB etc. modes are essentially stream ciphers so the above applies. Similar attacks, perhaps more limited, are possible against some other block cipher modes as well. For example, with CBC the attacker can replace the last message block with some earlier block to make a deterministic change to the message (xor by a xor of certain ciphertext blocks). They can then calculate the new hash and replace.